Windows Event Viewer is a gold mind of security information. However to find the nuggets you often have to chip away all of the useless “rock”.
I was recently tasked with finding all of the “human” logins into a particular server in our environment for a given time period. To complicate matters, there are several service accounts which login to this server ever minute or so. This floods the security log with data that is useless for my purposes.
Event Viewer is a bit of a pain to use as you can’t easily filter OUT and exclude logs you don’t want. So if you aren’t looking for something very specific it can be tough to get at what you actually want.
However, Event logs are in XML format and with a little bit of patience and a good text editor you can craft some things in code to get to where you want. In typical fashion, this took me a couple of hours of digging to finally put together the code that worked for me and as I can easily see using this again in the future, I am archiving it here as a personal resource. I hope it save you all some time as well.
Inside of event viewer, open up the security event log. On the right-had side, you should have the option to “filter current log” – click this.
Microsoft provides a GUI for the most basic of filtering. For my needs, I was interested in a specific date/time range (so I entered that) and a specific event id. The most useful Event ID for a successful interactive login that I could find is: 4624 – So I entered that as well and filtered my log.
Great… however the problem is that my log is still full of service account logins every couple of seconds. Manually digging through the log would still take hours. I needed a way to filter OUT those service account usernames. To do this, I needed to craft some custom XML.
Return again to the log filtering dialog and at the top there should be a tab called “XML” – click this. Once there, tick the box to “edit query manually” and say “ok” to any pop-ups.
To suppress information, you add the “Suppress Path” code. My final filtering XML code looked something like this:
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624) and TimeCreated[@SystemTime>='2015-04-11T16:16:31.000Z' and @SystemTime<='2015-04-12T20:16:31.999Z']]]</Select>
<Suppress Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName'] and (Data ='LoginNameOfServiceAccount')]]</Suppress>
<Suppress Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName'] and (Data ='SYSTEM')]]</Suppress>
<Suppress Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='TargetUserName'] and (Data ='LoginNameOfAnotherServiceAccount')]]</Suppress>
Those three suppress statements cleaned up my log extensively. I am not sure if they needed to be on three separate lines or if all three accounts could be listed together. So there might be a way to clean this up a bit. Comments Welcome!
PS. – There is probably a way to do this via powershell with the “get-eventlog” commandlet – if someone could show me a way to accomplish the same thing via powershell I would be most obliged!